To include schema data that have been deleted through compressing and schema modifications in the synchronization project, update each schema in the synchronization project. This may be necessary if:
To update a system connection schema
- OR -Select the category
Configuration | One Identity Manager connection.
This reloads the schema data.
Then you can add the changes to the schema property mapping.
|NOTE: The synchronization is deactivated if the schema of an activated synchronization project is updated. Reactivate the synchronization project to synchronize.|
Memberships, for example, user accounts in groups, are saved in assignment tables in the One Identity Manager database. Membership lists are commonly maintained as an object property in the target system. If a membership is modified in the One Identity Manager, the object must be updated.
To label whether a membership was changed, a base table assignment is maintained, which maintains information about the last change of membership in the column Dependencies modification date (XDateSubItem). During provisioning of modified memberships, One Identity Manager decided which objects must be updated based on this date. In the case of synchronization with revision filtering, the highest value from XDateSubItem and XDateUpdated is used as a revision counter for the database objects.
If a membership is changed in One Identity Manager, the change date for dependencies must updated so that the modification can be provisioned.
The base table has the column XDateSubItem.
|NOTE: If this column does not exist in the assignment's base table, you can extend the base table. Create the column CCC_XDateSubItem to do this.|
Figure 13: Memberships in the One Identity Manager database
If a membership changes (through insertion, deletion or resetting of status "Outstanding") a task for updating the column XDateSubItem of the base table is queued in the DBQueue (QBM-K-XDateSubItemUpdate). If necessary, more processing tasks, for example, calculating inheritance, are queued in the DBQueue. These tasks are handled first. The task QBM-K-XDateSubItemUpdate is deferred until all the processing tasks for the modified object and the module to which it belongs, have been handled. If other memberships in this module are changed in the meantime, these changes are collected by the existing task for updating the column XDateSubItem and subsequently handled together. Once the task QBM-K-XDateSubItemUpdate is run, an update task for the column XDateSubItem is queued in the Job queue. The column value is updated. The task for provisioning changed memberships is then placed in the Job queue.
Figure 14: Processing a Membership Change in One Identity Manager
Active Directory user account membership in an Active Directory group is deleted in One Identity Manager (table ADSAccountInADSGroup). The change date for dependencies is updated on the Active Directory group (ADSGroup.XDateSubItem). The change to the membership for this Active Directory group is provisioned in the target system. The next time synchronization with revision filtering is run, XDateSubItem is taken as the highest change date for the revision counter and is compared to the schema type's revision.
During the membership provisioning, changes made in the target system will probably be overwritten. This behavior can occur under the following conditions:
If a membership in One Identity Manager changes, the complete list of members is transferred to the target system by default. Memberships, previously added to the target system are removed by this; previously deleted memberships are added again.
To prevent this, provisioning can be configured such that only the modified membership is provisioned in the target system. To do this, you must set the option Enable merging on the assignment table (DPRNameSpaceHasDialogTable.IsAdHocSingleMemberShip = TRUE). For more detailed information about setting this option, see the administration guides for connecting each target systems.
Additional processing steps are executed for tables with this option enabled.
|ProvisioningActual changes to an object in the One Identity Manager database (added, modified, deleted) are made immediately written to the target system. Process||Entry in DPRMemberShipAction||Comment|
|Fail||Remains intact||A new modification to the object is reprocessed by provisioning and deleted on success.|
|Failed and deleted||Remains intact||Deleted during daily maintenance.
All entries without a provisioning task in the Job queue are deleted in the process of these maintenance jobs.
|NOTE: The complete members list is updated by synchronization. During this process, objects with changes but incomplete provisioning are not handled. These objects are logged in the synchronization log.|